Instant Messaging: A threat hiding in plain sight

This is a contributed piece by Thomas Fischer, threat researcher and security advocate at Digital Guardian

As employees become more mobile and communications more immediate, Instant Messaging (IM) is becoming a go-to corporate tool. Employees, especially the younger generation, naturally turn to the same messaging applications they use at home to help them plan meetings, discuss business or collaborate on projects.

There are a number of benefits to this new way of communicating. Outside of the instant nature of IM, it is also attractive to users because services are typically 'free’ – that is, these apps rely on data network services instead of more expensive SMS. But, while the very nature of IM makes it a productivity boon, its use in the workplace creates a significant threat to data security that often lies under the radar.  

IM apps have regularly been in the news due to data leakage and security concerns. We recently saw reports that Confide, the messaging app used by White House staff, has bugs that allow snooping. There have also been reports of security issues surrounding WhatsApp and Telegram.

It’s not surprising, when security teams are under so much pressure, that the threats from IM are often hiding in plain sight. So, let’s consider exactly how the IM threat maps out.


The threat from outsiders

Let’s first weigh up the evidence for whether a third party could intercept sensitive business messages within popular IM apps. On the one hand, the company behind WhatsApp’s end-to-end encryption has vehemently denied claims of a backdoor, but both Telegram and Confide definitely are susceptible to interception of messages – not just through encryption backdoors but through metadata as well.

Let's say it was possible to backdoor or break the encryption protocol for one of these apps. Government agencies, competitors or malicious parties would be able to spy and gather valuable information or insights into current business activities. The metadata aspect is also very concerning as it gives away information about when, who and where the messaging is occurring – all information that could be highly valuable in the wrong hands.

Whether metadata is used to identify business activities or the communications are intercepted using a man-in-the-middle attack, the risk is the same – in both cases, important information or data could be divulged.


The threat from insiders

This is possibly the biggest risk to organisations, as messaging apps can become an unmonitored mechanism for a malicious insider to leak sensitive data. The user could copy email text, capture screenshots of file attachments and exfiltrate them via IM. Some of the voice sharing features could even be used to record and transmit meetings.


Stopping this threat is tricky; file transfer over IM is usually beyond the tracing capabilities of the IT department. The lack of search and filtering capabilities and archiving makes it difficult to discover potential breaches of policy, and even harder to hold an individual accountable. Many IM services offer end-to-end encryption, further limiting the ability for IT teams to track and trace data movements.


The threat to compliance

The IM risk extends beyond data leakage. There are a number of regulatory and legal issues surrounding IM. Information that leaves an organisation without the knowledge and control of the IT department has serious implications from a record-keeping standpoint.

Regulators are interested in sensitive data, regardless of the communication channel via which this data is distributed. IT teams therefore must be able to monitor, capture and keep record of corporate information within these services. This is difficult because IM apps encrypt data end-to-end. Moreover, IT teams may not even know an IM app is being used in the first place. For certain types of data, even the act of sharing via IM could be a violation of the GDPR and other privacy guidelines.


IM security advice

Simply banning IM is not an option. Employees like the speed, efficiency and collaborative nature of these channels. IT teams therefore need to find a way to ensure IM doesn’t cause a data security nightmare:

Education: It's extremely hard to control these types of communications methods with the proliferation of smartphones. It’s therefore essential to teach employees IM best practices. And because none of us are perfect, education needs to be backed up with technology.

Boundaries: If the business provides the mobile device, it needs to be managed using a MDM/MAM solution. Policies should be put in place, such as limiting which apps can be installed or controlling the use of the apps when the user is at certain locations, including turning off microphones and cameras.

Alternatives: Some vendors are starting to provide ‘corporate versions’ of their solutions (e.g. Slack Enterprise) that could help meet employee messaging needs while helping IT teams take back control.

IM apps can be valuable corporate communications tools. They also, undoubtedly, complicate the life of IT teams. In order to keep data safe and stay compliant, IM monitoring must take a more prominent role in corporate security policy.



« Could blockchain solve the threat of ransomware?


What to expect from Google I/O 2017 »
IDG Connect

IDG Connect tackles the tech stories that matter to you

  • Mail

Recommended for You

Future-proofing the Middle East

Keri Allan looks at the latest trends and technologies

FinancialForce profits from PSA investment

Martin Veitch's inside track on today’s tech trends

Amazon Cloud looms over China: Bezos enters Alibaba home ground

Lewis Page gets down to business across global tech


Do you think your smartphone is making you a workaholic?